TeamPCP Steals 3,800 Internal Repositories from GitHub in Attack Chain Originating from TanStack's npm
The TeamPCP group compromised a GitHub employee's device with a tampered VS Code extension to exfiltrate approximately 3,800 internal repositories. The company confirms that customer data was not affected.
GitHub confirmed on 20 May that a criminal group identified as TeamPCP, also tracked as UNC6780, exfiltrated approximately 3,800 of its internal repositories after compromising an employee's device with a tampered version of the Nx Console extension for Visual Studio Code. The company stated it found no evidence of compromise of customer repositories, organisations, or data external to the internal infrastructure, but added that the investigation is ongoing.
The attack represents the fourth documented episode of TeamPCP's campaign against the open-source software supply chain. Researchers at Phoenix Security describe the group as specialised in open-source security utilities and AI middleware, with prior compromises involving Aqua's Trivy scanner, CheckMarx's KICS, and the LiteLLM library.
The Compromise Chain
The origin point was an attack on the TanStack npm supply chain, detected on 11 May 2026. TeamPCP exploited three combined techniques: the "Pwn Request" pattern via pull_request_target of GitHub Actions, cache poisoning of Actions in fork-to-base workflows, and extraction of OIDC tokens from the runner at runtime. Between 19:20 and 19:26 UTC on 11 May, the group published 84 malicious versions distributed across 42 packages in the @tanstack namespace, using the legitimate OIDC identity of the project's publication pipeline. The packages passed SLSA provenance checks and contained valid signed certificates, making them indistinguishable from legitimate versions for tools that verify cryptographic signatures.
The compromise propagated to other dependent repositories within hours. Mistral AI, UiPath, and over 160 additional packages on npm and PyPI were subsequently affected. On 18 May, a developer from the Nx team installed version 18.95.0 of the Nx Console extension on their device, available on the VS Code Marketplace for about 11 to 18 minutes before it was removed. The compromised extension collected the developer's GitHub access token and transmitted it to TeamPCP, thereby granting access to GitHub's internal infrastructure.
What Was Compromised and What Was Not
GitHub stated that TeamPCP's claims of access to approximately 3,800 repositories are "consistent with the direction" of its own internal investigation. The content of these repositories is the company's internal source code, not customer data. According to the company, there is no evidence of compromise of client information stored outside the internal platform infrastructure.
TeamPCP announced the stolen material and, according to security researchers, offered the code for $50,000, threatening to release it for free if no buyers emerged. Subsequent reports indicate the group's contact with LAPSUS$ for a joint sale at $95,000. GitHub reported that it is rotating credentials, isolating the compromised endpoint, and monitoring the infrastructure for subsequent activity.
What the Incident Exposes for Corporate Development Teams
The attack redefines the risk perimeter for any organisation relying on IDE extensions maintained by open-source communities. The malicious version of the Nx Console was active in the VS Code Marketplace for a maximum of 18 minutes, but that window was sufficient to compromise the device of an engineer with privileged access to the internal repositories of a platform with over 100 million registered developers.
For security teams in IT consultancies, the incident mandates two controls that typically fall outside the standard scope: the integrity verification of IDE extensions, a category rarely included in corporate endpoint management policies, and the principle of least privilege in access tokens to version control systems. Developers with access to CI/CD pipelines and package publishing systems represent a compromise vector with an impact comparable to production system administrators but often receive different treatment in access control policies.
The conclusion of GitHub's investigation into the full scope of the incident will determine whether TeamPCP gained access to code signing keys, pipeline secrets, or any material that could facilitate further attacks against the platform's upstream supply chain, transforming what is currently confirmed as an internal incident into distributed risk for GitHub's entire customer base.